Dedicated to the Hydrogen framework, headless commerce, and building custom storefronts using the Storefront API.
Hi all, I'm new to shopify and online retail. I did search for this, but found nothing (which seems odd).
I will be using the 'buy button' to sell products. All is well creating/styling the buttons. When I generate the code, I noticed my API key is visible for anyone to see if they view source on the webpage. This seems like a big security issue! How can I hide the API key easily?
The API keys used in the Buy Button are fine to be seen. They don't comprise the security of your store and give access to online storefront data only (aka, the stuff you can already see on the store).
Hey Jason,
How about if the API key is visible for other items?
This was my concern when it comes to the Storefront API. If that key has scoped access to customers I'm wondering if a malicious party could get to the customer access token. And therefore have access to a customer's personally identifiable information. Unless a Storefront API development scenario calls for it, I explicitly remove access to the Customers area for the API key...
Do you think we should have pause for concern since this key is publicly visible?
meta name="shopify-checkout-api-token" content="fc99e8e5aeb53d116da2f3f61f0e"
Here is some documentation about this --> https://shopify.dev/docs/admin-api/rest/reference/access/storefrontaccesstoken. The token inherits the default unauthenticated access scopes. There's a link to those specifics in the documentation as well. Shopify has a good amount of API documentation. Like most providers, it takes some work keeping it totally accurate and up to date. But it's pretty helpful!
Thank you. I had referred to this document initially which leads me to believe that specific token is safe to show publicly since its Read only. But It wasn't exactly clear but that's my assumption. It seems to be a newly emerging topic .
You're welcome. The only thing I would check in terms of granted access scopes for the API key is when it comes to read-only for customers. If a malicious party were to snoop and somehow retrieve the customer token then I'm thinking they could pull PII (Personally Identifiable Information) for the customer. Maybe that's just me being paranoid though...
Totally understandable... at the same time I don't see how they'd be able to retrieve this from just having just the store token unless the customer was vulnerable already.
Thanks Jason, that's good to know!